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Applicant's response of 2/28/07 has been entered. The examiner will address 
applicant's remarks at the end of this office action. 

1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

2. Claims 1-25,27-56,58-89,119-122, are rejected under 35 U.S.C. 101 because the 
claimed invention is directed to non-statutory subject matter. 

For claims 1,16-18,24,31,63,76, it is claimed that a "detection rating" is 
determined, a QFD score is calculated, and it is claimed that a PRN is calculated using 
a specific formula. Each independent claim now requires that a "detection rating" be 
determined. The examiner takes notice of the fact that it is a person that decides what 
values the variables of "detection rating", "severity rating", and "process strength rating" 
are supposed to have. The examiner also notes that the specification provides no 
guidance on how one should go about determining the correct values for these 
variables, so that the result would be useful and would be repeatable. With respect to 
the "severity" and "process strength" ratings, the QFD is calculated from the 
multiplication of these two values together, see page 16 of the instant specification. 
Because all of the variables used to calculate the QFD score are disclosed as being 
determined by people and because there is no guidance given on how to go about 
choosing the appropriate values for these variables, the result of the invention is not 
considered to be concrete (i.e. it is not capable of being repeated to arrive at a particular 
result). The same is true for the "detection rating". This is disclosed as being 
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determined by people, see page 17 of the specification. No guidance is given on how to 
go about choosing the detection rating value. Because of the fact that different people 
may ascribe different values to the variables used in the equation, and because no 
guidance is given on how to go about choosing the values for the "detection rating", 
"severity rating", and "process strength rating", the result is not guaranteed. The claim 
is not statutory because the result is not concrete (i.e. it is not capable of being repeated 
due to the human factor). The input is judgmental and will vary from person to person 
so the result will vary as well. The same holds true for claim 24 that recites the 
variables used to calculate a PRN, the values used in the equation are determined by 
people and are judgmental in nature; therefore, the claim does not have a concrete 
result. Additionally, because the results are not concrete, the examiner does not see 
how the result is useful in the context of 35 (JSC 101 . Because the calculated QFD 
score and PRN are only as accurate as the inputted data is accurate, the result is not 
considered to be useful. If the result can vary depending on the person deciding what 
values the variables of the equation are supposed to have, and no guidance is given to 
allow two people to reasonably know how to determine the correct numbers, then one 
cannot have any confidence in the obtained result, because it is only as good as the 
data inputted into the equation, which is determined by people with no standards to go 
by. There is no guarantee that the result obtained is even accurate, because the entire 
equation is based on a person's perception and judgments as to what the "detection 
rating", "severity rating", and what the "process strength rating" is. 



Application/Control Number: 09/848,051 
Art Unit: 3629 



Page 4 



3. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

4. Claims 1-25,27-56,58-89,119-122, are rejected under 35 U.S.C. 112, first 
paragraph, as failing to comply with the enablement requirement. The claim(s) contains 
subject matter which was not described in the specification in such a way as to enable 
one skilled in the art to which it pertains, or with which it is most nearly connected, to 
make and/or use the invention. 

For claims 1,31,63,76, it is claimed that a "detection rating" is determined. Each 
independent claim now requires that a "detection rating" be determined. The examiner 
takes notice of the fact that it is a person that decides what values the variables of 
"detection rating" is supposed to have. The examiner notes that the specification 
provides no guidance on how one should go about determining the correct values for 
this variable, so one of skill in the art would be left guessing on how to do what is 
claimed. The "detection rating" is disclosed as being determined by people, see page 
17 of the specification. People determine what the detection rating is going to be, and 
no guidance is given on how to go about choosing the value for the detection rating. 
How would one of skill in the art to do what is claimed? The only way they could do it is 
by guessing or randomly picking a value for the detection rating. This does not teach to 
one of skill in the art how to go about and use the claimed invention. How is the 
detection rating arrived at? Because this is not disclosed, and because it is disclosed 
that a person chooses the value, the claim is not considered to be enabled. There is 
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not enough of a disclosure to allow one of skill in the art to make and use the claimed 
invention without undue experimentation (which is present due to the lack of guidance). 

With respect to claims 31 ,63-89, and the recitation that the server prioritizes the 
compliance risks for the business, identifies potential failure modes with causes and 
effects, and recommends risk monitoring and control mechanisms, one of skill in the art 
would not be able to make the server do what is claimed. This is because the applicant 
has disclosed that it is people that do these steps, not the server. One of skill in the art 
would not be able to figure out how to get the server to prioritize the risks because this 
depends on what the business sees as the most risky based on any known 
consequences that may happen if the risk materializes. How would one of skill in the art 
go about making the server prioritize the risks, especially for a plurality of different 
business settings that have different compliance issues that need to be dealt with? How 
is this done? How can the server know what to do? With respect to identifying failure 
modes and the causes and effects, how is this done by the server? How does the 
server know what possible failures could occur for any kind of business process? The 
same is true for the recommendation of risk monitoring and control mechanisms, how 
does the server do this? One of skill in the art would be left guessing how to program 
the server to do what the specification disclosed is being done by people. The server is 
clearly used in the storing of data and in collecting/receiving the data, but the 
specification is full of references to the fact that it is people doing the majority of the 
actions, not the server . One of skill in the art would not be able to make the invention 
as claimed and undue experimentation would be involved to make the server to do what 
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is claimed. The claims are not enabled because one of skill in the art would not be able 
to make a server that does everything that is claimed. 

For claims 63-89 the following paragraphs are relevant to what is claimed and 
these issues were not addressed by applicant in the most recent response to the last 
office action. 

For claims 32,33,35,36, the claim is not enabled. How can the server assemble 
the cross-functional team and conduct an interview with a person, etc.. As stated with 
respect to claim 31 , people are disclosed as doing these steps, not the server. People, 
not the server, also do the summary of the results. One of skill in the art would not be 
able to make the server do what is claimed and undue experimentation would be 
involved. 

For claim 34, one of skill in the art would not be able to go about and make a 
server that can create a questionnaire as claimed. How can the server know what the 
business is and what questions should be asked? The server cannot do this step, 
people do. Applicant has not disclosed how one of skill in the art can make the server 
do what is claimed. 

For claims 37,38, how can the server compile results on its own? One of skill in 
the art would not know how to go about and make the server do what is claimed. 

For claims 39-42, how would one of skill in the art go about making the server 
prioritize the risks deemed to be important to the business, especially when that is 
disclosed as being done by people. The server is not capable of knowing what the 
business management members know and cannot map a risk model, compile 
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compliance requirements and prioritize them, assign a severity rating (disclosed as 
being done by people), etc.. One of skill in the art would not be able to make the server 
do what is claimed, especially in view of the fact that the specification discloses that 
people do these steps. The same is true for claim 40, the guidance from the 
specification does not include how to make the server do what is claimed because 
people do it. For claim 41 , how does the server compile a list of requirements that 
include company policy as well as the other recited requirements? The server does not 
compile the various requirements it is an employee that compiles the requirements. 

Claims 43-62 are also found to be non-enabled for the same reasoning as set 
forth above. The specification teaches that people compile the list of compliance 
requirements, people prioritize the risks, people assign severity ratings and process 
strength ratings, people map the risk model and identify possible failure modes, assign 
occurrence and detection factors, define recommended actions, etc.. 

For all of claims 31-89, Applicant has not given enough disclosure to enable one 
of skill in the art to make a computer system that has a server that does everything that 
is claimed. One of skill in the art reading the specification would be very confused 
because of the fact that it is disclosed that people do most of the recites steps, not the 
server. One of skill in the art would have to undergo undue experimentation to design 
an intelligent system that can basically tell management what to do and more or less 
run the company with respect to compliance issues. The way the claims are written it is 
the server doing everything, but the specification teaches that most of the steps are 
done by people. The claims are not enabled for these reasons. 
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5. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claims 2,5,8,11,29,32,34,39,50,59, are rejected under 35 U.S.C. 112, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the 
subject matter which applicant regards as the invention. 

For claims 2,8,32,34,50 the portion of claim 2 that recites "identifying and 
interviewing a plurality of process owners for the questionnaire answers" seems to 
contradict the amended language for claim 1 . This problem then flows to claim 8. 
Claim 1 recites that the questionnaire is displayed on a client system of a compliance 
person and they are the ones that submit answers. Claim 2 is reciting process owners 
as being interviewed. Which is correct? The language from claim 1 or what is claimed 
in claim 2? It is not clear as to who is providing answers for the questionnaire, is it the 
compliance person or the process owners? This is not clear.. 

For claim 5, it is claimed that the cross-functional team "that was used to conduct 
the compliance program assessment" is reassembled. Where was it previously claimed 
that a cross functional team was assembled to do any kind of compliance assessment? 
This is not previously recited as being in the claim scope, in fact that previous language 
about conducing a program assessment was canceled by amendment and it appears 
this claim was simply not amended to be in agreement with earlier claims. This renders 
the claim indefinite because it is not known if the claim requires a functional team to 
conduct a compliance program assessment or not and it is not clear if they are being 
assembled once or more than once? The claimed recitation of "calculating Risk 
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Prioritization Numbers" is also not clear. Is this another calculation step of another set 
of RPNs in addition to the RPN calculation step that is recited in claim 1? How many 
different risk prioritization numbers are being calculated? Both claims recite the 
calculation of numbers with the same name. Due to the indefiniteness of the claim as a 
whole, it will be examined as the claim is best understood by the examiner. 

For claim 1 1 ,39, it is claimed that "the list of compliance requirements" is 
compiled. Claim 1 recites that the compliance requirements are stored in the database 
but there is no mention of a list. Is the claimed list of compliance requirements the 
same as the requirements that are claimed as being stored in the database, see claim 
1 ? This is not clear. There is no antecedent basis for "the list of compliance 
requirements". No list of any kind has previously been claimed. Also, if the 
requirements are already recited as being saved in a database, what does this step 
require that is not already within the scope of claim 1? This is not clear. The step of 
"prioritizing compliance risk areas" is not clear because claim 1 already recites that the 
compliance risks are being prioritized. Is this the same step as recited in claim 1, if not 
then what is the difference? Due to the indefiniteness of the claim as a whole, it will be 
examined as the claims are best understood by the examiner. 

For claim 29,59, what is a "policy dashboard"? One wishing to avoid 
infringement would not know what this is. This renders the claim indefinite. 
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7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 

9. Claims 1-16,18-23,25,27-45,47-53,55,56,58-89,119-122 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Fetherston (20020120642). 

For claims 1,3,5,6,11-16,18,19,21,23,29,31,39-45,47,48,51,52,59,63-65,68-89, 
Fetherston discloses a system and method of determining a company's compliance with 
legislative conditions and/or internal managerial conditions. Fetherston discloses a 
compliance management system that determines and identifies compliance or lack of 
compliance with certain criteria (relating to processes or products of business). The 
server is 2 and the database is 4 and/or 16. The client system is disclosed in paragraph 
28 where it is disclosed that the system can be a "stand alone" computer or may be 
connected to other components (computers) of a network. It is also stated that the 



Application/Control Number: 09/848,051 Page 1 1 

Art Unit: 3629 

system can be implemented on separate networked computers accessible from all or 
selected levels of an organization. Information concerning compliance is stored in the 
database as claimed. This includes a questionnaire (see figure 4, paragraphs 34 and 
38) and compliance requirements (see paragraph 12). Also see figure 4 where it is 
disclosed that one of the data entries is the "Department". Identifying the department 
also identifies the persons responsible for compliance (i.e. the employees in that 
department). In paragraph 38 it is disclosed that a user is forced to follow a process 
and pattern of data entry (by using a computer) to collect data needed to determine the 
level of compliance with the saved compliance requirements. This involves the 
displaying of the questionnaire of figure 4 on a client system (a computer) that is 
inherently based on saved compliance information relating the whatever requirements 
have to be complied with. The server 2 then receives the entered data, and saving the 
data "processes" the data. The system also prioritizes the compliance risk for a 
business by identifying the compliance risks and prioritizing them from high to low 
based on a severity rating. Paragraph 42 discloses the identification of hazards (risks) 
that exceed a certain rating. This satisfies the claimed identification of the compliance 
risks. Assigning a numerical priority to each risk by using a "risk assessment rating" 
prioritizes the identified risks. The risk assessment rating satisfies the claimed "severity 
rating". The calculating of a risk prioritization number for each risk is satisfied by the 
disclosure that "the user may specify the threshold value, enabling an organization to 
concentrate first on high priority hazards by specifying a high threshold, then lowering 
the threshold to concentrate on lower priority hazards". The user "calculates" or figures 
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out how important each risk is at the present time (based on factors which inherently 
include current compliance with certain criteria, which is saved data stored in the 
database) to arrive at a prioritization number (threshold value) for each risk. Once the 
various risks are analyzed and management is aware of potential problems, 
implementation of controls such as training can be done. The database also stores 
information on training to be given (a control). 

Not specifically disclosed is the step of identifying failure modes with the causes 
and effects of the compliance failure modes along with the storing of this data in the 
database (also relates to the claimed FEMA for claim 11). Also not disclosed is the act 
of identifying the current control in place and a detection rating that represents whether 
or not the current controls that are in place will detect compliance failure modes. When 
one receives an indication that certain legislative requirements (or internal company 
criteria) are not being met, one of ordinary skill in the art would obviously want to know 
why that is happening, so that the problem can be fixed. One of ordinary skill in the art 
would also find it desirable to have some form of controls in place to detect when a 
condition may be violated as well as having a way to assess the effectiveness of the 
current controls. It is clear that one of ordinary skill in the art would not want to violate 
any compliance requirements and would take steps to ensure proper compliance. Upon 
receiving information that indicates failure to comply with certain compliance 
requirements, one of ordinary skill in the art at the time the invention was made would 
have been motivated and found it obvious to identify the failure modes for each risk, 
with the associated causes and effects of those failure modes so that the problem can 
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be corrected (by taking actions). This is how one of ordinary skill in the art would go 
about correcting the non-compliance issues identified. You must first identify the 
problem and figure out why it is happening (causes/effects) before you can arrive at a 
solution (an action). This is something that is obvious to one of ordinary skill in the art 
based on their knowledge and based some common sense in problem solving. You 
cannot correct a problem if you do not know why it is occurring. One of ordinary skill in 
the art would have been motivated to do what is claimed. With respect to having 
current controls in place to detect the failure modes, this is something that one of 
ordinary skill in the art would also find desirable. This is because one of ordinary skill in 
the art would find it desirable to ensure that you do not violate any compliance 
requirements. To ensure that you do not violate any compliance requirements, one 
must ask the question of how can this be done? One of ordinary skill in the art would 
have clearly considered monitoring by having some form of "controls" in place, so that 
any potential issues of non-compliance can be identified before they become a real 
issue. This is something that one of ordinary skill in the art would find desirable based 
on the problem being addressed and the level of knowledge that one of ordinary skill in 
the art has. With respect to the detection rating, this is taken as just an assessment of 
the controls in place that are to detect failure modes. Clearly, if you are using controls 
to identify failure modes, you must have some confidence with the current controls and 
must have some level of confidence that they will work as intended and will identify 
failure modes. One of ordinary skill in the art would have been motivated to also assess 
the controls that are in place as far as their effectiveness is concerned. It would have 
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been obvious to one of ordinary skill in the art at the time the invention was made to 
have some controls in place to detect failure modes and to also have a detection rating, 
that is an assessment of the overall effectiveness of the current controls. Also 
considered to be obvious is that recommended actions would be implemented to reduce 
the risk associated with each compliance risk that was identified. This is the reason you 
are looking at the risks in the first place. You want to take actions that will reduce the 
risk for each compliance risk. With respect to the storing of the data in the database, 
the Background of the invention section states that some legislation requires employers 
"to provide an audit trail of their actions that is sufficiently transparent to show that they 
have an effective management program which includes hazard identification, 
appropriate training and supervision of staff, recording details", etc.. One of ordinary 
skill in the art at the time the invention was made would have been motivated to save all 
of the compliance data in the database to ensure that there is a transparent audit trail 
that would be evidence of management doing what they are supposed to be doing as 
far as compliance monitoring goes. 

For claims 2,32,34,50, with respect to the limitation of defining what constitutes a 
yes answer, the examiner notes that paragraph 37 discloses that one of the formats for 
the questionnaire is a "true/false" type of format. That is the same as having yes or no 
answers. This inherently involves a previous determination as to what defines a yes 
(true) or no (false) answer so that the compliance assessment can be performed. 
People make up the forms and the questions, not the computer system. In Fetherston 
questionnaire answers are obtained, and results are complied and presented to 



Application/Control Number: 09/848,051 Page 15 

Art Unit: 3629 

management as claimed. Not disclosed is a "binary questionnaire", and the assembling 
of a cross functional team. With respect to the "binary questionnaire", the use of binary 
code is very old and well known in the art. Binary language is the basic language that 
computers use for data. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a "binary" questionnaire because the use of 
binary code is very old and well known in the art and is something that one of ordinary 
skill in the art would readily be aware of. With respect to the assembling of a cross 
functional team, the examiner notes that applicant does not actually recite that the team 
does anything. One of ordinary skill in the art at the time the invention was made would 
have found it obvious to assemble a cross functional team (a team of employees) that 
would serve to help set up the entire compliance monitoring system and assist in 
determining what questions should be asked when a "true/false" format for the 
questionnaire is used. 

For claim 4, not specifically disclosed is the step of identifying failure modes with 
the causes and effects of the compliance failure modes along with the storing of this 
data in the database. When one receives an indication that certain legislative 
requirements (or internal company criteria) are not being met, one of ordinary skill in the 
art would obviously want to know why that is happening, so that the problem can be 
fixed. Upon receiving information that indicates failure to comply with certain 
compliance requirements, one of ordinary skill in the art at the time the invention was 
made would have been motivated to identify failure modes for each risk, with the 
associated causes and effects of those failure modes so that the problem can be 
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corrected. This is how one of ordinary skill in the art would go about correcting the non- 
compliance issues identified. You must first identify the problem and figure out why it is 
happening (causes/effects) before you can arrive at a solution. One of ordinary skill in 
the art would have been motivated to do what is claimed. Also not disclosed is the 
prioritizing actions that need to be taken and the developing of a scorecard to be used 
as a monitoring and reporting tool. With respect to the prioritizing of actions that need 
to be taken, when one determines the reason why non-compliance is occurring and 
develops a proposed solution (actions that need to be taken), one of ordinary skill in the 
art at the time the invention was made would have been motivated to prioritize those 
actions that need to be taken so more effort can be spent on those actions that will 
provide more of a positive result, so that effort is not spent on actions that have a small 
effect on the problem. With respect to the development of a policy scorecard, one of 
ordinary skill in the art at the time the invention was made would have found it obvious 
to have some manner by which one could grade the efforts of management in 
compliance monitoring and in correcting any issues of non-compliance. This is 
interpreted to be the mere assessment or appraisal of the company in its efforts to 
ensure company compliance and in fixing the problems. Appraisals or reports on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

With respect to claim 7, in addition to that disclosed above, not disclosed is 
ensuring that the actions are completed in a timely manner. One of ordinary skill in the 
art at the time the invention was made would have been motivated to ensure that any 
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corrective actions that need to be taken are done in a timely manner, so that the 
identified non-compliance risks will not continue. Timely completion of taking action to 
correct the problems is something that one of ordinary skill in the art would clearly 
appreciate. 

For claims 8,33,35,36,66,67, the questionnaire is a "question owners matrix". It 
is a matrix of questions to be answered. The use of a knowledge base is the use of the 
computer system and the stored data. That is a knowledge base. 

For claims 9,37, not disclosed is the use of a spreadsheet to compile the results. 
It is old and well known in the art that spreadsheets are used to process data and 
display data for anything one desires. One of ordinary skill in the art would have this 
fact in their knowledge. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a spreadsheet to display results data, because 
spreadsheets are well known as being a commonly used format to display data and is 
something that one of ordinary skill in the art would understand and appreciate. 

For claims 10,30,38, not disclosed specifically is the use of a program 
assessment summary and a policy assessment summary. Taking into consideration 
that the reason you are tracking compliance data is to ensure that you are in 
compliance with certain regulations or criteria and given that summary data is complied 
in Fetherston, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to present the upper members of management with a summary 
of how the "compliance program" is going by having a program assessment (is the 
program working and achieving real world results that justify the program's existence) 
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and a policy summary, that summarizes what policies (i.e. training programs) are 
working or not working. One of ordinary skill in the art would have been motivated to 
summarize the results as claimed. 

For claims 1 1 ,39, not disclosed is the mapping of a high level business risk 
model and a quality function deployment. With respect to the risk model, one of 
ordinary skill in the art would have found the use of a risk model (very broad language) 
as obvious, because this is the way that one would go about analyzing the risk to a 
company. You would construct a risk model, which can simply be a report of the 
possible risks and how they may affect the company. With respect to the quality 
function deployment, as this is best understood by the examiner, this is the use of a 
matrix to summarize the compliance requirements (from page 12 of the instant 
specification). The use of a matrix is old and well known in the art. One of ordinary skill 
in the art would have found the use of a matrix obvious because one of ordinary skill in 
the art would recognize that matrixes can be used to summarize any kind of data one 
desires. 

For claims 20,49, not disclosed is the identifying of the top 3-5 compliance 
requirements that have the highest risk. One of ordinary skill in the art would clearly be 
the most concerned with those compliance areas that have the greatest risk. This is 
just obvious common sense that one of ordinary skill in the art would recognize. With 
respect to determining the top 3-5 compliance requirements, one of ordinary skill in the 
art would find it obvious to not just focus on one compliance risk area, but to focus on a 
plurality of the top areas of concern. Depending on the number of compliance areas in 
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need of attendance, one of ordinary skill in the art would have found it obvious to 
identify the top 3-5 compliance requirement that have the greatest risk to the business, 
so that those risks can be minimized. 

For claims 22,53, not specifically disclosed is determining failure modes for each 
step in a process. In the rejection for claim 1 , the issue of determining failure modes 
and causes and effects was addressed. With respect to determining failure modes for 
each step in a process, one of ordinary skill in the art would have been motivated to do 
a complete failure mode analysis, which would involve looking at all steps of a process 
where failures could occur. One of ordinary skill in the art would be motivated to look at 
the entire process, not just one step, so that the analysis would be complete and as 
accurate as possible. With respect to brainstorming potential effects, this is part of the 
determination of the cause and effects that has been previously addressed. 
Brainstorming is just coming up with what the effects could be. 

For claims 25,55,56, not disclosed is the step of entering the recommended 
actions, an owner, and an expected date of completion into the matrix. The limitation of 
determining actions to be taken has already been addressed. With respect to the 
entering of these actions in addition to an owner and an expected completion date, one 
of ordinary skill in the art would have been motivated to track the recommended actions, 
who is responsible for ensuring they are followed through on, and when it is expected 
that they are going to be completed. This is information that one of ordinary skill in the 
art would have recognized as being important. If you take the time to formulate some 
actions that can be taken to minimize the risk to a company, you would also be 
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motivated to track the progress of those actions and document who is responsible for 
ensuring that those actions are undertaken, along with dates of when it will be 
completed, so that the management personnel overseeing the implementation of these 
actions will know what they are doing, who is doing it, and what the timeline is for the 
progress of those actions. One of ordinary skill in the art would have been motivated to 
do what is claimed. 

For claims 26,27,57, not disclosed is the reassigning of ratings and recalculation 
of the RPN or monitoring the progress. When one is using the method of Fetherston to 
address compliance risks, one of ordinary skill in the art would have been motivated to 
revisit the issues at a later point in time to see whether or not the risk of non-compliance 
has gone down (monitoring the progress). One of ordinary skill in the art would have 
found it obvious to recalculate the severity rating and take another look at whether or 
not the previously determined risk is still a priority that needs to be addressed. This 
inherently involves recalculating the RPN. 

For claims 28,58, with respect to the use of a policy scorecard, one of ordinary 
skill in the art at the time the invention was made would have found it obvious to have 
some manner by which one could grade the efforts of management in compliance 
monitoring and in correcting any issues of non-compliance. This limitation is interpreted 
to be the mere assessment or appraisal of the company in its efforts to ensure company 
compliance and in fixing the problems. Appraisals or reports (scorecards) on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 
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For claims 60-62, the prior art is fully capable of operating as claimed. The 
server can receive information in any of the claimed manners. 

For claims 1 19-122, when one has recommended an action to be taken, as these 
claims require, one of ordinary skill in the art would clearly find it desirable to monitor 
the status of the recommended action (with updates) and one would naturally want to 
know if the action has completed or not. This is so that one can be assured that the 
action has been completed and when that has been done, one would naturally want to 
reassess the level of risk now associated with that compliance risk, especially after 
some action has been taken to reduce that risk. Once a risk is identified and one 
determines that the risk needs to be lowered, one takes steps to do so, such as by 
implementing control measures as already addressed by the examiner. When one is 
trying to lower risk, they are interested in finding out whether or not the risk has actually 
been reduced by whatever action has been taken. To recalculate the risk associated 
with a compliance risk, after an action has been taken to hopefully reduce that risk is 
considered to be obvious. One of ordinary skill in the art at the time the invention was 
made would have found it obvious to recalculate the risk as claimed (the PRN) after an 
action has been taken (which is required by the claims). 

10. Applicant's arguments filed 2/28/07 have been fully considered but they are not 
persuasive. 

With respect to the 101 rejection, applicant has argued that just because of the 
fact that certain variables used in the invention (used in the disclosed equations) may 
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be measured by a person, such as an experienced risk assessor, does not mean that 
the score is non-repeatable or that the invention fails to produce a concrete result. The 
examiner disagrees. The specification discloses that it is people who decide what 
values these variables are supposed to have. The specification contains numerous 
instances of disclosing that it is people who are determining the values to be used in the 
equations. There is also no guidance given in the specification on how one would go 
about determining the variables of "detection rating", "severity rating", and "process 
strength rating", which are used to calculate the RPN and the QFD score. Because of 
this fact one cannot be assured of any kind of repeatable result, due to the lack of 
guidance on how to determine these variables in addition to the fact that it is people that 
are determining these values. No guidance is given on how to determine any of the 
claimed ratings, so one would be left to simply guess and make up their own system of 
ratings. This does not allow the result to be concrete in the sense of 35 USC 101. This 
101 rejection is not being made just because it is people that are doing the claimed 
steps, the rejection is being made because there is insufficient guidance given in the 
specification to allow the result to be replicated to arrive at substantially the same result. 
The examiner disagrees with applicant's comment that the specification "clearly 
describes how the variables" are valued. The examiner does not see any disclosure 
that would explain how this is done. The statement that the invention produces a 
useful, tangible, and concrete result is noted but is just taken as a general allegation of 
compliance with 35 USC 101 . With respect to the argument that it is an experienced 
risk assessor that is determining the values for the variables, where is this in the 
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specification? Even if this is true, this still does not result in a concrete invention, 
because there is no guarantee that any two or more risk assessors will reasonably be 
expected to arrive at the same result, especially due to the fact that there is no standard 
rating system disclosed that one could use. The result would totally depend on the 
manner by which the risk assessors determine the variables used in the equation. As 
stated previously, without guidance on how this is done, the result is not considered to 
be repeatable to a point that would render the claimed result as "concrete". 

With respect to the other aspect of the 101 regarding the result not being 
considered as "useful", this was not addressed by applicant other than in making a 
general allegation that the invention produces a useful, tangible, and concrete result. 
The rejection will be maintained with respect to this issue of the 101 rejection due to 
their being no persuasive argument of record. 

With respect to the 1 12,1 st rejection, the arguments are found to be non- 
persuasive. Claims 31-89 have been rejected for the reason that it is not taught how to 
program the server to do what is claimed (i.e. make the invention as claimed). 
Specifically, it is not taught how to make the server do all that is claimed, especially due 
to the fact that many of the claimed functions are actually done by people not the 
server. Applicant has drafted the apparatus claims to require that the server does steps 
that the specification discloses is being done by people. How is the server then 
programmed to do what is done by people? How is the server made to act like a person 
and render decisions they would render? It is not taught how to make the server do 
what is claimed. The entire argument seems to be based on the citation of parts of the 
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originally filed specification. Applicant's comments do not sufficiently address the 
issues set forth by the examiner. Citing different portions of the specification as 
applicant has done without explaining specifically how to make the server do what is 
claimed is not considered to be persuasive. Because the compliance risks of any 
business actually depend on the business itself, and because each business has it's 
own specific concerns and compliance issues, how would one of skill in the art go about 
and program the server to prioritize the risks and do all the other things that are 
claimed? It is people that decide what values the variables used in the equations are 
supposed to have. The compliance risks are determined based on a severity rating of 
non-compliance (this is in claim 1). The severity rating is determined by people and not 
the server. Paragraph 68 of the specification states that "Resources used to prioritize 
risk may include functional leaders, compliance leaders, compliance experts, policy 
owners, a management team, and legal counsel. This paragraph makes not actual 
mention of the fact that the server prioritizes the risks. This is disclosed as being done 
by people. This then leads to the question of how does the server prioritize the risks if it 
is actually people that are determining all the values used to determine the severity 
rating, which is what determines the risk priorities and the people are the ones actually 
identifying what the compliance risks are? The issue that the examiner has with the 
claims is that it is disclosed that people do the things such as identify the compliance 
risks and determine the severity ratings, which then determines the actual priorities. 
How does the server go about and assemble a cross functional team, identify and 
interview for compliance as is claimed in claim 32? How does the sever conduct an 
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interview with people and how does the server actually assemble the team for the 
meeting? This is disclosed as being done by people not the server. In the apparatus 
claims applicant has claimed that the server is doing many of the steps that are 
disclosed as being done by people. The specification does not teach one of skill in the 
art how to go about and make the server do what is disclosed as being done by people. 
The rejection will be maintained and the issue of the "detection rating" has now been 
raised and is part of the current rejection of record. This is in response to the most 
recent amendment to the claims. 

The examiner also notes that with respect to the 1 12,12st rejection, it appears 
that applicant has failed to traverse the issues set forth for claims 32,33,35,36; claim 34; 
claims 37,38; claims 39-42; claims 43-62; and claims 31-89. Pages 5 and 6 of the last 
office action contain rejections of claims that applicant has not addressed in any specific 
manner. The rejections will be maintained. 

With respect to the 1 12,2 nd paragraph rejection, the arguments are not 
persuasive for some of the claims. 

For claims 2,8,32,34,50, the issue set forth by the examiner has not been 
addressed by the amendment. It is not clear who is providing the answers for the 
questionnaire? This is the issue at hand in this rejection. Applicant's explanation is just 
an allegation of compliance with 1 12,2 nd as no explanation has been provided 
explaining why to the rejection is not proper in view of the amendment. The rejection 
will be maintained. 
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For claims 5,1 1 ,39, only a portion of the rejection has been addressed by the 
amendment. Applicant has stated that the amendments address the Examiner's 
concerns, with no explanation as to how. The remaining issues with respect to claim 5 
and claims 1 1 ,39, are in the current rejection of record and have not been overcome. 
These aspects of the rejection will be maintained. Claim 1 1 also contains a new 
rejection that is necessitated by amendment. 

For claims 29,59, the examiner notes applicant's explanation as to what a policy 
dashboard is, but where does support come from for this definition of this term? The 
examiner does not see where this is disclosed in the instant specification. How does 
applicant find that the term "policy" when used with dashboards is actually referring to 
an "action items list"? Where does this come from? How does "policy" somehow really 
mean "action items list"? The explanation that the term "policy dashboard" really 
means a "unified display of the action items list" is not found to be persuasive due to a 
lack of support for this definition. Where does this definition come from? The rejection 
will be maintained. 

With respect to the prior art traversal, the arguments are found to be non- 
persuasive. Applicant argues two things. The first is that it is not obvious to identify the 
failure modes, etc., along with a detection rating for the current controls. The second 
argument is that it is not obvious to store the data in a database. Applicant generally 
argues that the claim language is not found in the prior art. The majority of the remarks 
are made in a general sense and are more like general allegations of patentability than 
actual specific arguments. With respect to the obviousness of identifying failure modes, 
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causes and effects, etc., applicant has stated "There is no motivation disclosed to 
identify potential compliance failure modes, causes and effects, current controls in 
place, and a detection rating. Applicant's submit that one of ordinary skill in the art 
would not have been motivated to identify the current controls in place and the detection 
rating." This is not seen as addressing the obviousness statement and the reasoning 
set forth by the examiner in the 103 rejection of record. Why is it not considered to be 
obvious? What is the reasoning and the explanation behind this conclusion? This is 
nothing more than a general allegation. Also, the mere fact that the reference does not 
disclose motivation to do what is claimed does not mean that the rejection is not proper. 
If the reference disclosed what is claimed, it would be a 102 and not a 103 rejection. 
The examiner has provided an explanation as to why the missing limitation is 
considered to be obvious and this has not been addressed. The argument is not 
persuasive. The same holds true for the issue of storing the data in a database. 
Applicant has just argued that there is no motivation to store the data and has stated 
that the missing feature is not obvious with no supporting rationale or explanation for the 
examiner to consider. This is also found to be non-persuasive as it is not addressing 
the obviousness statement made by the examiner along with the rationale set forth by 
the examiner. Applicant has relied upon the arguments for claim 1 for patentability for 
all of other independent claims and dependent claims. The argument for claim 1 is not 
persuasive, therefore; the argument for the other claims (which is the same as for claim 
1) is also found to be non-persuasive. 
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1 1 . Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Dennis Ruhl whose telephone number is 571-272-6808. 
The examiner can normally be reached on Monday through Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Weiss can be reached on 571-272-6812. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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